On Sat, Dec 06, 2008 at 08:21:12PM +0200, subscriptions wrote: > > > On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote: > > I'd feel a bit more safe if the signing could be done on a separate > > server. However, the built files are large and I don't want to > > introduce a bottle neck by transfering all files back and forth over > > the network. > > The above sentences describe a mutual exclusive proposition. > > That is the problem!
Why? Tehcnically you just need the digest (e.g.: the .dsc file) to sign. The signature technically only signs its content. If you don't trust the build system to provide you the correct information, how come you trust it not modify the package before signing (e.g.: add a 'rm -rf /*' in the prerm script). -- Tzafrir Cohen | [EMAIL PROTECTED] | VIM is http://tzafrir.org.il | | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
